Scribd
Upload
628 views

Checkpoint Troubleshooting

Uploaded by

Krasimir Kotsev
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
628 views

Checkpoint Troubleshooting

Uploaded by

Krasimir Kotsev
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 33

Troubleshooting

Check Point
Firewalls
A structured approach
Christian Halbe / September 12, 2012

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Troubleshooting Check Point Firewalls


A structured approach
Agenda

Data collection
General health parameters

OS parameters to check
fw status and tables
Cluster state

Analysis flow
A journey to the center of the firewall

Packet travel through the firewall


Acceleration and side effects of SecureXL

Fw monitor

i-I-o-O : What exactly does it mean


Filtering
Interaction with Acceleration
Advanced analysis with Wireshark

Not covered here: VSX, VPN


2

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Collect information
is it really the firewall
to blame?

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Data collection
... Is it really the firewall?
Get the facts together

Understand the environment

Source
Destination
Port
Traceroute from both ends
Any NAT involved?

Get a network diagram


Identify all components in the path
Check for recent changes
Check for history of earlier
problems

Understand the problem

What symptoms are observed?


When did it start?
How can it be reproduced?
Is there a pattern?

Consider time of day, other regular


events, network and machine load

Does it affect only particular users


or hosts?

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Checks for general


firewall health

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Firewall health checks


Especially when issues are reported in general, reports are fuzzy
(multiple reports of different issues) or if the problem is intermittent,
check some basics first.
top example of a moderately loaded system
top - 12:34:47 up 204 days, 18:30,
Tasks:

92 total,

2 running,

1 user,

load average: 0.82, 1.00, 0.90

90 sleeping,

0 stopped,

0 zombie

Cpu0

1.7%us,

2.0%sy,

0.0%ni, 80.0%id,

0.0%wa,

3.7%hi, 12.7%si,

Cpu1

0.0%us,

0.3%sy,

0.0%ni, 81.0%id,

0.0%wa,

4.3%hi, 14.3%si,

Cpu2

0.0%us,

0.0%sy,

0.0%ni, 83.9%id,

0.0%wa,

1.7%hi, 14.4%si,

Cpu3

0.0%us,

0.7%sy,

0.0%ni, 23.3%id,

0.0%wa,

0.0%hi, 76.0%si,

Mem:

2073884k total,

1709532k used,

364352k free,

Swap:

4192956k total,

563280k used,

3629676k free,

SHR S %CPU %MEM

1 for
0.0%st
average
0.0%st
0.0%st

225088k buffers
62776k cached

PID USER

PR

NI

VIRT

RES

TIME+

COMMAND

2111 root

15

0 S

77

0.0

3477 root

15

432m

76m

13m R

3.8

2248 root

15

0 S

0.0

3844 root

15

0 13488 5484 5168 S

0.3 150:03.05 dtls

1 root

15

1600

472

448 S

0.0

0:11.64 init

2 root

RT

-5

0 S

0.0

0:10.34 migration/0

22898:41 fw_worker_0
8632:24 fw
40:00.79 fw_worker_2

[...]
6

0.0%st
Press

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

P, M to
sort

Firewall health checks


Interface status
cpstat os -f ifconfig
Interface configuration table
---------------------------------------------------------------------------------|Name|Address

|Mask

|MTU

|State|Mac Address

|Description

---------------------------------------------------------------------------------|lo

127.0.0.1|

|s0p1|

255.0.0.0|16436|

1|

|Not supported|

172.16.1.2|255.255.255.252| 1500|

1|44-1e-a1-47-1e-98|Not supported|

|s0p0|207.169.218.181|255.255.255.248| 1500|

1|44-1e-a1-47-1e-9a|Not supported|

|s2p1| 192.238.41.110|255.255.255.240| 1500|

1|a0-36-9f-00-48-04|Not supported|

----------------------------------------------------------------------------------

Interface counters
netstat -i
Kernel Interface table
Iface
lo

MTU Met

RX-OK RX-ERR RX-DRP RX-OVR

TX-OK TX-ERR TX-DRP TX-OVR Flg

16436

4001875

4001875

0 LRU

s0p0

1500

7562334

7744992

0 BMRU

s0p1

1500

0 87522045

0 87252894

0 BMRU

s2p1

1500

0 BMRU

7222468

7127176

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Firewall health checks


Interface settings
When an interface shows errors, check details, especially duplex:
ethtool <interface>
Settings for s0p0:
Supported ports: [ TP ]
Supported link modes:

10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full

Supports auto-negotiation: Yes


Advertised link modes:

10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full

Advertised auto-negotiation: Yes


Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: g
Link detected: yes
8

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Firewall health checks


Current connections
[Expert@datgwy04a]# fw tab -s -t connections
HOST

NAME

ID #VALS #PEAK #SLINKS

localhost

connections

8158 69747 119421

258651

[Expert@datgwy04a]# fw ctl pstat | grep Connections


Concurrent Connections: 46% (70344 out of 149900) - below low watermark

NAT table
[Expert@datgwy04a]# fw tab -s -t fwx_alloc
HOST

NAME

ID #VALS #PEAK #SLINKS

localhost

fwx_alloc

8187 96380 145115

Which policy is installed, when was it changed


fw stat -l
HOST

IF

POLICY

DATE

TOTAL REJECT

DROP ACCEPT

LOG

localhost >s0p1 GM_C2SSN_EMEA 22Aug2012 13:27:39

localhost <s0p1 GM_C2SSN_EMEA 22Aug2012 13:27:39

localhost >s0p0 GM_C2SSN_EMEA 22Aug2012 13:27:39 245744

18 245726

localhost <s0p0 GM_C2SSN_EMEA 22Aug2012 13:27:39 429989

30 429959

30

localhost <s2p1 GM_C2SSN_EMEA 22Aug2012 13:27:39

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Firewall health checks Cluster XL


Cluster status information
[Expert@DEEDCDFGMNA001]# cphaprob state
Cluster Mode:

New High Availability (Primary Up)

Number

Unique Address

Assigned Load

State

172.16.1.1

100%

Active

2 (local)

172.16.1.2

0%

Standby

Display ClusterXL Devices health status


cphaprob ia list
Display physical and cluster interfaces
cphaprob a if
Statistics of ClusterXL sync
fw ctl pstat
cphaprob syncstat

Messages
Always browse through the latest entries in /var/log/messages

10

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Analysis flow

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Analysis flow initial


Basic steps to follow when a failed connection is reported
Be sure that implied rules are logged.

Is it in the
firewall
log?
Also check
the log with
src/dst
swapped
(asymmetric
routing? Only
return traffic
on the
firewall?)
If you get a
log, follow the
accept or
drop flow.

Is it seen
on the
inbound IF?
Check with
tcpdump
while the
connection is
being tested.
When you
find packets,
continue with
the deep flow
and fw
monitor

Upstream
gateway
reachable?
Check routing
for the source
and ping the
gateway.
If theres no
echo reply, is
there at least
an ARP reply?
Check
arp -a

Proxy ARP
needed?
Is a NAT IP in
the connected
inbound
network
used?
Check proxy
arp fw ctl
arp

Cluster: Is
the cluster
IP up?
Check that
the firewall is
listening on
the cluster IP
by cphaprob
a if

When you reached the end of this chain: Most likely routing is not okay or there
might be another firewall on the upstream?
12

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Analysis flow red


When you find a drop in the log the red path

Spoofing?

Is the packet
arriving on
the correct
interface?
Check return
routing and
related antispoofing
records.

Drop for
return
packet
only?
Points to
asymmetric
routing
condition.
The initial
packet took
another path.

Accept
followed by
spoofing
drop?
Check the
interface on
the drop. Is it
coming from
the outbound
interface?
Then the
downstream
router is
bouncing the
packet back.

Accept
followed by
other drop?
Typically
caused by
protocol
anomalies.
Example: FTP
session not
adhering to
Check Points
RFC
interpretation

Check the
rulebase for
ordering
issues. Try
recreating the
rule in
another
position.

Migh require
full tcpdump
capture for
further
analysis
just
a rule change

When you reached the end of this chain: Perhaps


required... Or you have might just have discovered a bug...
13

Ordinary
drop?

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

is

Analysis flow green


When you find an accept in the log the green path

Check for
NAT
Check the log
entry. Is NAT
required? Is it
properly
applied?

Check
destination
routing

Downstrea
m gateway
reachable?

Is the packet
forwarded to
the right
interface and
gateway?

Check routing
for the
destination
and ping the
gateway.

On historic
policies: Is
the NAT
destination
route in
place?

If theres no
echo reply, is
there at least
an ARP reply?
Check
arp a

Proxy ARP
needed?
Is a source
NAT IP in the
connected
oztbound
network
used?
Check proxy
arp fw ctl
arp

Cluster: Is
the cluster
IP up?
Check that
the firewall is
listening on
the cluster IP
on the
outbound
interface by
cphaprob a
if

When you reached the end of this chain: Most likely routing is not okay to the
destination or back. There might also be another firewall on the downstream...
Is the target up and listening?
14

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Analysis flow deep


Applying fw monitor deep dive

Run fw
monitor
Try to apply a
reasonable
inspect filter
to limit the
volume of
data

Is the
packet
making it
through?
When you
see the
packet
disappearing
within the
firewall
chains, check
for silent
drops with fw
ctl zdebug
drop

Is there
return
traffic?
Check for
return traffic.
Is it going
back to the
correct
interface? Is
any NAT
properly
undone?

Is the
source
reachable?

Time for a
full packet
capture

There may be
a problem
with the
upstream
return route.

If it looks all
correct up to
here, capture
a full session,
reproducing
the problem
for offline
analysis.

Can you ping


the source
from the
firewall?

When you reached the end of this chain the issue most likely is beyond what
can be easily fixed.
15

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

A journey to the center of


the firewall
fw monitor in detail

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Packet travel through the firewall

OS IP Stack L3
Check Point
in chain

Check Point
out chain

Optional: Secure XL

17

OS NIC driver

OS NIC driver

eth0

eth1

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Firewall chain principle


OS IP Stack L3

in chain

Virtual Reassembly

Accounting

IP side accounting
NAT / VM
VPN Policy

NAT / VM

FloodGate

VPN verify

VPN Enc

VPN Dec

IQ
Accounting

Wire side accounting


Virtual Reassembly

RTM
NIC

18

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

out chain

RTM
FloodGate / IQ
VPN Policy

The firewall chains in real life


[Expert@datgwy04a]# fw ctl chain

[Expert@DEEDCDFGMNA001]# fw ctl chain

in chain (19):

in chain (12):

0: -7f800000 (f1a10ee0) (ffffffff) IP Options Strip (in) (ipopt_strip)

0: -7f800000 (e2590ee0) (ffffffff) IP Options Strip (in) (ipopt_strip)

1: -7d000000 (f14b6bc0) (00000003) vpn multik forward in

1: - 1fffff6 (e2592190) (00000001) Stateless verifications (in) (asm)

2: - 2000000 (f149fa90) (00000003) vpn decrypt (vpn)

2: - 1fffff5 (e28e3fe0) (00000001) fw multik VoIP Forwarding

3: - 1fffff8 (f14aa8c0) (00000001) l2tp inbound (l2tp)

3: - 1000000 (e25db410) (00000003) SecureXL conn sync (secxl_sync)

4: - 1fffff6 (f1a12190) (00000001) Stateless verifications (in) (asm)

4:

0 (e254b7f0) (00000001) fw VM inbound

5: - 1fffff5 (f1d63fe0) (00000001) fw multik VoIP Forwarding

5:

1 (e25a7f00) (00000002) wire VM inbound

6: - 1fffff2 (f14bedb0) (00000003) vpn tagging inbound (tagging)

6:

10000000 (e25e0a00) (00000003) SecureXL inbound (secxl)

7: - 1fffff0 (f14a08a0) (00000003) vpn decrypt verify (vpn_ver)

7:

7f600000 (e2587ed0) (00000001) fw SCV inbound (scv)

8: - 1000000 (f1a5b410) (00000003) SecureXL conn sync (secxl_sync)

8:

7f730000 (e26acba0) (00000001) passive streaming (in) (pass_str)

9:

9:

7f750000 (e276d4c0) (00000001) TCP streaming (in) (cpas)

0 (f19cb7f0) (00000001) fw VM inbound

10:
11:

(fw)

1 (f1a27f00) (00000002) wire VM inbound

(wire_vm)

2000000 (f14a29e0) (00000003) vpn policy inbound (vpn_pol)

(wire_vm)

10:

7f800000 (e2591260) (ffffffff) IP Options Restore (in) (ipopt_res)

11:

7fb00000 (e273cc70) (00000001) HA Forwarding (ha_for)

12:

10000000 (f1a60a00) (00000003) SecureXL inbound (secxl)

13:

21500000 (f0e5a8c0) (00000001) RTM packet in (rtm)

0: -7f800000 (e2590ee0) (ffffffff) IP Options Strip (out) (ipopt_strip)

14:

7f600000 (f1a07ed0) (00000001) fw SCV inbound (scv)

1: - 1fffff0 (e276d340) (00000001) TCP streaming (out) (cpas)

15:

7f730000 (f1b2cba0) (00000001) passive streaming (in) (pass_str)

2: - 1ffff50 (e26acba0) (00000001) passive streaming (out) (pass_str)

16:

7f750000 (f1bed4c0) (00000001) TCP streaming (in) (cpas)

3: - 1f00000 (e2592190) (00000001) Stateless verifications (out) (asm)

17:

7f800000 (f1a11260) (ffffffff) IP Options Restore (in) (ipopt_res)

4:

18:

7fb00000 (f1bbcc70) (00000001) HA Forwarding (ha_for)

5:

out chain (16):

out chain (9):

0 (e254b7f0) (00000001) fw VM outbound (fw)


1 (e25a7f00) (00000002) wire VM outbound

(wire_vm)

6:

10000000 (e25e0a00) (00000003) SecureXL outbound (secxl)

0: -7f800000 (f1a10ee0) (ffffffff) IP Options Strip (out) (ipopt_strip)

7:

7f700000 (e276d0e0) (00000001) TCP streaming post VM (cpas)

1: -78000000 (f14b6ba0) (00000003) vpn multik forward out

8:

7f800000 (e2591260) (ffffffff) IP Options Restore (out) (ipopt_res)

2: - 1ffffff (f14a1630) (00000003) vpn nat outbound (vpn_nat)


3: - 1fffff0 (f1bed340) (00000001) TCP streaming (out) (cpas)
4: - 1ffff50 (f1b2cba0) (00000001) passive streaming (out) (pass_str)
5: - 1ff0000 (f14bedb0) (00000003) vpn tagging outbound (tagging)
6: - 1f00000 (f1a12190) (00000001) Stateless verifications (out) (asm)
7:
8:

19

(fw)

0 (f19cb7f0) (00000001) fw VM outbound (fw)


1 (f1a27f00) (00000002) wire VM outbound

(wire_vm)

9:

2000000 (f14a2490) (00000003) vpn policy outbound (vpn_pol)

10:

10000000 (f1a60a00) (00000003) SecureXL outbound (secxl)

11:

1ffffff0 (f14aa550) (00000001) l2tp outbound (l2tp)

12:

20000000 (f14a1870) (00000003) vpn encrypt (vpn)

13:

24000000 (f0e5a8c0) (00000001) RTM packet out (rtm)

14:

7f700000 (f1bed0e0) (00000001) TCP streaming post VM (cpas)

15:

7f800000 (f1a11260) (ffffffff) IP Options Restore (out) (ipopt_res)

VPN disabled
VPN enabled

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

fw monitor
Captures network traffic at different locations within the firewall chain
by inserting monitor modules into the firewall chain
Uses a INSPECT filter to capture the interesting traffic
Syntax (simplyfied)
fw monitor [e expr][-l len][-ci num][-co num][-m mask][-o
file]
Packets are inspected on 4 points by default, unless a mask is specified
-m option, example m iI
-e specifies an INSPECT code line
-l limits the number of bytes per packet to keep (default: all)
-o specifies an output file. The content can viewed later e.g. with
Wireshark.
-ci ond co: Stop after num packtes have been captured helpful on a
loaded machine with huge traffic

20

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

fw monitor (cont.)
Simple Examples
Track all traffic to or from a host that also relates to port 22 (sport or
dport):
fw monitor e accept host(168.185.163.124) and port(22);

Track everything, but stop after 1000 packets inbound or outbound


(whatever happens first)
fw monitor ci 1000

-co1000

Follow bidirectional communication between a pair of hosts, also


accounting for NAT. Keep only the first 128 Bytes per packet and save to
a capture file
fw monitor e accept ((src=10.10.5.1 or src=192.109.1.1) and dst=128.30.52.37)
or ((dst=10.10.5.1 or dst=192.109.1.1) and src=128.30.52.37); l 128 o
/var/tmp/test.cap

Dont save on parentheses, precedence can be surprising!


Too complex? Theres help available:
21

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

fw monitor (cont.)
INSPECT code generator http://decock.org/ginspect/

((ip_p=6) and (dport=21 or sport=21))and((src=192.168.10.10 and


dst=10.10.8.6) or (dst=192.168.10.10 and src=10.10.8.6)), accept;
22

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

fw monitor (cont.)
[Expert@datgwy04a]# fw monitor -e "accept host(128.30.52.37);"
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[fw_0] Lan1:i[60]: 163.157.6.68 -> 128.30.52.37 (TCP) len=60 id=57528
TCP: 53170 -> 80 .S.... seq=36a3fd54 ack=00000000
[fw_0] Lan1:I[60]: 163.157.6.68 -> 128.30.52.37 (TCP) len=60 id=57528
TCP: 53170 -> 80 .S.... seq=36a3fd54 ack=00000000
[fw_0] Lan5:o[60]: 163.157.6.68 -> 128.30.52.37 (TCP) len=60 id=57528
TCP: 53170 -> 80 .S.... seq=36a3fd54 ack=00000000
[fw_0] Lan5:O[60]: 163.157.6.68 -> 128.30.52.37 (TCP) len=60 id=57528
TCP: 53170 -> 80 .S.... seq=36a3fd54 ack=00000000
[fw_0] Lan5:i[56]: 128.30.52.37 -> 163.157.6.68 (TCP) len=56 id=0
TCP: 80 -> 53170 .S..A. seq=e480fe4d ack=36a3fd55
[fw_0] Lan5:I[56]: 128.30.52.37 -> 163.157.6.68 (TCP) len=56 id=0
TCP: 80 -> 53170 .S..A. seq=e480fe4d ack=36a3fd55
[fw_0] Lan1:o[56]: 128.30.52.37 -> 163.157.6.68 (TCP) len=56 id=0
TCP: 80 -> 53170 .S..A. seq=e480fe4d ack=36a3fd55
[fw_0] Lan1:O[56]: 128.30.52.37 -> 163.157.6.68 (TCP) len=56 id=0
TCP: 80 -> 53170 .S..A. seq=e480fe4d ack=36a3fd55
[fw_0] Lan1:i[52]: 163.157.6.68 -> 128.30.52.37 (TCP) len=52 id=62103
TCP: 53170 -> 80 ....A. seq=36a3fd55 ack=e480fe4e
[fw_0] Lan1:I[52]: 163.157.6.68 -> 128.30.52.37 (TCP) len=52 id=62103
TCP: 53170 -> 80 ....A. seq=36a3fd55 ack=e480fe4e
[fw_0] Lan5:o[52]: 163.157.6.68 -> 128.30.52.37 (TCP) len=52 id=62103
TCP: 53170 -> 80 ....A. seq=36a3fd55 ack=e480fe4e
[fw_0] Lan5:O[52]: 163.157.6.68 -> 128.30.52.37 (TCP) len=52 id=62103
TCP: 53170 -> 80 ....A. seq=36a3fd55 ack=e480fe4e

23

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

fw monitor (cont.)
[Expert@DEEDCDFGMNA001]# fw ctl chain
in chain (14):
0: -7f800000 (e2590ee0) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: -70000000 (e2571c90) (ffffffff) fwmonitor (i/f side)

<- this is i

2: - 1fffff6 (e2592190) (00000001) Stateless verifications (in) (asm)


3: - 1fffff5 (e28e3fe0) (00000001) fw multik VoIP Forwarding
4: - 1000000 (e25db410) (00000003) SecureXL conn sync (secxl_sync)
5:

0 (e254b7f0) (00000001) fw VM inbound

6:

(fw)

1 (e25a7f00) (00000002) wire VM inbound

(wire_vm)

7:

10000000 (e25e0a00) (00000003) SecureXL inbound (secxl)

8:

70000000 (e2571c90) (ffffffff) fwmonitor (IP

9:

7f600000 (e2587ed0) (00000001) fw SCV inbound (scv)

side)

10:

7f730000 (e26acba0) (00000001) passive streaming (in) (pass_str)

11:

7f750000 (e276d4c0) (00000001) TCP streaming (in) (cpas)

12:

7f800000 (e2591260) (ffffffff) IP Options Restore (in) (ipopt_res)

13:

7fb00000 (e273cc70) (00000001) HA Forwarding (ha_for)

<- this is I

out chain (11):


0: -7f800000 (e2590ee0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (e2571c90) (ffffffff) fwmonitor (IP

side)

<- this is o

2: - 1fffff0 (e276d340) (00000001) TCP streaming (out) (cpas)


3: - 1ffff50 (e26acba0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (e2592190) (00000001) Stateless verifications (out) (asm)
5:
6:

0 (e254b7f0) (00000001) fw VM outbound (fw)


1 (e25a7f00) (00000002) wire VM outbound

(wire_vm)

7:

10000000 (e25e0a00) (00000003) SecureXL outbound (secxl)

8:

70000000 (e2571c90) (ffffffff) fwmonitor (i/f side)

9:

7f700000 (e276d0e0) (00000001) TCP streaming post VM (cpas)

10:

<- this is O

7f800000 (e2591260) (ffffffff) IP Options Restore (out) (ipopt_res)

[Expert@DEEDCDFGMNA001]#

24

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Where we actually watch the traffic

OS IP Stack L3
o

Check Point
in chain

Check Point
out chain

Optional: Secure XL
OS NIC driver
eth0
25

tcpdum
p

OS NIC driver
eth1

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

fwaccel control SecureXL


Acceleration status
Get acceleration status or show statistics:
fwaccel stat
fwaccel stats

Enabling and disabling


Beware: Disabling can have a severe performance impact. Dont do it on
a firewall under high load
fwaccel on | off

Show the Acceleration connection table


Fwaccel conns

26

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

fw monitor and Wireshark


Wireshark can interpret the special info that fw monitor logs instead
of the MAC address.

27

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

fw monitor and Wireshark (cont.)


The following setting is needed in Edit -> Preferences -> Protocols -> Ethernet

Then you van add the Interface column.


28

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

cpeval Firewall load analysis


New tool provided by checkpoint runs in the background and collects statistsics
e.g. for 24 hours.
Measured Data
=============
* Maximum gateway throughput: 438.720801 Mbps
* Maximum packet rate: 82312 Packets/sec
* Maximum CPU: 52%
* Maximum CPU core #0: 61%
* Maximum CPU core #1: 42%
* Maximum CPU core #2: 31%
* Maximum CPU core #3: 74%
* Maximum kernel CPU: 39%
* Maximum kernel CPU core #0: 29%
* Maximum kernel CPU core #1: 25%
* Maximum kernel CPU core #2: 30%
* Maximum kernel CPU core #3: 74%
Number of unique IPs behind gateway: 3039
Maximum concurrent connections: 50419
Maximum memory utilization: 1476 MB
Accelerated packets: 52.99%
VPN traffic: 0.00%
Detected interface packet drops: yes
Detected install policy: no
===================================
29

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

cpeval Firewall load analysis (cont.)


Find it at
https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.D
CFileAction&eventSubmit_doGetdcdetails=&
fileid=13711
Copy to fw und run the shell script with
./cpeval
Hint: Many installations dont have (cp)openssl in the path which is only
needed if you wish to upload the results to Check Point. Just comment it out in
the shell script.
It runs in the background and will end automatically.

30

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Questions?

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

References
Helpful documents
Check Point fw monitor manual
http://
www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf
Extensive Troubleshooting guide from Tobias Lachmann
http://
blog.lachmann.org/wp-content/uploads/2010/09/2010-CPUG-CON-Tobias-Lachmann-Check-P
oint-Troubleshooting.pdf
Very nice KB article about performance related analysis
https
://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutionde
tails=&solutionid=sk33781

33

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

You might also like